Sign up for The Paypers newsletter Follow The Paypers on LinkedIn Follow The Paypers on Twitter Follow The Paypers on Facebook
The Paypers, paypers, Insight in payments, News, Reports, Events
 advertisement
Digital Identity, Security & Online Fraud

OAuth standard verified for account takeover

Tuesday 9 October 2018 | 12:16 PM CET

An attack that utilizes the account authentication standard OAuth has affected companies using a token-based login to link third-party social accounts.

Potential security issues with OAuth were questioned after a researcher discovered a vulnerability on Periscope’s Twitter app, which could enable the takeover of users’ accounts.

Publishing his findings on HackerOne, Ron Chan said logging into Periscope TV through Twitter was susceptible to a host header attack that could result in a victim’s credentials being stolen.

Host header attacks are used for password reset or cache poisoning because they require an out of band attack channel. Chan discovered that he could use Periscope’s OAuth system as such a channel, provided his victim has accounts.

Ron Chan added that after changing the host header, an attacker is able to send the OAuth authorization link to their victim and obtain the user’s account details via the token that is issued.

More: Link
 advertisement
 advertisement
 advertisement
 advertisement